Merge pull request #82 from marcofranssen/resolve-gh-api-rate-limits

fix: resolve gh api rate limits
aquasecurity · Oct 31, 2022 · f2c4d29 · f2c4d29 · quinot · Nov 2, 2022
2 parents d9fa643 + 17da140
commit f2c4d29
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 17 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,7 @@
 FROM public.ecr.aws/docker/library/alpine:3.12
 
 RUN apk --no-cache --update add bash git \
+    jq curl \
     && rm -rf /var/cache/apk/*
 
 COPY entrypoint.sh /entrypoint.sh

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -1,30 +1,52 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 set -xe
 
+if [ -z "${INPUT_GITHUB_TOKEN}" ] ; then
+  echo "Consider setting a GITHUB_TOKEN to prevent GitHub api rate limits." >&2
+fi
+
 TFSEC_VERSION=""
-if [ "$INPUT_TFSEC_VERSION" != "latest" ]; then
+if [ "$INPUT_TFSEC_VERSION" != "latest" ] && [ -n "$INPUT_TFSEC_VERSION" ]; then
   TFSEC_VERSION="/tags/${INPUT_TFSEC_VERSION}"
+else
+  TFSEC_VERSION="/latest"
 fi
 
-wget -O - -q "$(wget -q https://api.github.com/repos/aquasecurity/tfsec/releases${TFSEC_VERSION} -O - | grep -m 1 -o -E "https://.+?tfsec-linux-amd64" | head -n1)" > tfsec-linux-amd64
-wget -O - -q "$(wget -q https://api.github.com/repos/aquasecurity/tfsec/releases${TFSEC_VERSION} -O - | grep -m 1 -o -E "https://.+?tfsec_checksums.txt" | head -n1)" > tfsec.checksums
-
-grep tfsec-linux-amd64 tfsec.checksums > tfsec-linux-amd64.checksum
-sha256sum -c tfsec-linux-amd64.checksum
-install tfsec-linux-amd64 /usr/local/bin/tfsec
-
 COMMENTER_VERSION="latest"
-if [ "$INPUT_COMMENTER_VERSION" != "latest" ]; then
-  COMMENTER_VERSION="tags/${INPUT_COMMENTER_VERSION}"
+if [ "$INPUT_COMMENTER_VERSION" != "latest" ] && [ -n "$INPUT_COMMENTER_VERSION" ]; then
+  COMMENTER_VERSION="/tags/${INPUT_COMMENTER_VERSION}"
+else
+  COMMENTER_VERSION="/latest"
 fi
 
-wget -O - -q "$(wget -q https://api.github.com/repos/aquasecurity/tfsec-pr-commenter-action/releases/${COMMENTER_VERSION} -O - | grep -o -E "https://.+?commenter-linux-amd64")" > commenter-linux-amd64
-wget -O - -q "$(wget -q https://api.github.com/repos/aquasecurity/tfsec-pr-commenter-action/releases/${COMMENTER_VERSION} -O - | grep -o -E "https://.+?checksums.txt")" > commenter.checksums
+function get_release_assets {
+  repo="$1"
+  version="$2"
+  args=(
+    -sSL
+    --header "Accept: application/vnd.github+json"
+  )
+  [ -n "${INPUT_GITHUB_TOKEN}" ] && args+=(--header "Authorization: Bearer ${INPUT_GITHUB_TOKEN}")
+  curl "${args[@]}" "https://api.github.com/repos/$repo/releases${version}" | jq '.assets[] | { name: .name, download_url: .browser_download_url }'
+}
+
+function install_release {
+  repo="$1"
+  version="$2"
+  binary="$3-linux-amd64"
+  checksum="$4"
+  release_assets="$(get_release_assets "${repo}" "${version}")"
+
+  curl -sLo "${binary}" "$(echo "${release_assets}" | jq -r ". | select(.name == \"${binary}\") | .download_url")"
+  curl -sLo "$3-checksums.txt" "$(echo "${release_assets}" | jq -r ". | select(.name | contains(\"$checksum\")) | .download_url")"
+
+  grep "${binary}" "$3-checksums.txt" | sha256sum -c -
+  install "${binary}" "/usr/local/bin/${3}"
+}
 
-grep commenter-linux-amd64 commenter.checksums > commenter-linux-amd64.checksum
-sha256sum -c commenter-linux-amd64.checksum
-install commenter-linux-amd64 /usr/local/bin/commenter
+install_release aquasecurity/tfsec "${TFSEC_VERSION}" tfsec tfsec_checksums.txt
+install_release aquasecurity/tfsec-pr-commenter-action "${COMMENTER_VERSION}" commenter checksums.txt
 
 if [ -n "${GITHUB_WORKSPACE}" ]; then
   cd "${GITHUB_WORKSPACE}" || exit
@@ -41,5 +63,5 @@ if [ -n "${INPUT_TFSEC_FORMATS}" ]; then
   TFSEC_OUT_OPTION="${TFSEC_OUT_OPTION%.*}"
 fi
 
-tfsec --out=${TFSEC_OUT_OPTION} --format=${TFSEC_FORMAT_OPTION} --soft-fail ${TFSEC_ARGS_OPTION} "${INPUT_WORKING_DIRECTORY}"
+tfsec --out=${TFSEC_OUT_OPTION} --format="${TFSEC_FORMAT_OPTION}" --soft-fail "${TFSEC_ARGS_OPTION}" "${INPUT_WORKING_DIRECTORY}"
 commenter